this post was submitted on 20 Jun 2023
9 points (100.0% liked)
Arch Linux
7791 readers
5 users here now
The beloved lightweight distro
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Here's how I run Firefox, for instance:
Using this for about 5 years. Ran
strace
on a session to see what to allow access to. It's got full access to/lib
and too much access to/sys
b/c I'm lazy, but it can not see any executables or most of~
.I'm using something similar whenever I want to precisely isolate a program.
Thank you for this. But if I may ask can you tell me what some of these options do? I can understand what some of these do just by looking, like giving directory access.
Will this work on my system where I use a combo of Wayland + Pipewire?
Check
bwrap(1)
for details, it's all there.Yes, and yes.
How do I use this btw? I pasted this on an executable and it says
Permission Denied
.It's a shell script, right? Save the text as a
<FILE>
,chmod +x <FILE>
,./<FILE>
.You might not have
zsh
, in which case you need to replace shebang (#!/bin/zsh
) with bash and fix what breaks (IIRC you can't quite do a printf like that in bash).It works by constructing an array of argument strings — which you can see with
echo $bwopt
— and printing it, concatenated using\0
as a separator. It's printed to a file descriptor, open as fd 9 in the child process. Alternatively, you can just givebwrap
those arguments directly (bwrap $bwopt
).